The six-year fight over the type of harm a plaintiff must allege to satisfy the “injury in fact” requirement for lawsuits alleging false reporting of credit information took its latest turn this week. On Tuesday, August 15, 2017, the U.S. Court of Appeals for the Ninth Circuit, on remand from the United States Supreme Court, issued its opinion in Spokeo, Inc. v. Robins, a highly-watched case challenging whether a plaintiff can satisfy Article III standing based solely on a technical violation of the Fair Credit Reporting Act (FCRA). Plaintiff Thomas Robins brought a putative class action for willful violations of the FCRA against Spokeo, Inc., a company that generates profiles about people based on publicly available data. Among other things, Robins averred that Spokeo published an allegedly inaccurate profile about him on its website and therefore harmed his employment prospects at a time when he was out of work. The Ninth Circuit’s three-judge panel held that the publication of materially inaccurate information about Robins sufficed as concrete injury for purposes of Article III standing, even without specific allegations of tangible harm from that publication.
According to the German Federal Labor Court, Germany’s highest court for employment disputes, German employers are not allowed to monitor employees in the workplace without a concrete suspicion of a criminal violation or, in some cases, a serious breach of duty (judgment dated July 27, 2017, case ref. 2 AZR 681/16). This means that employer monitoring of an employee’s computer usage without a concrete suspicion, including the use of keylogging software that records all keyboard entries made at a desktop computer does not comply with German data privacy laws. Courts may exclude evidence obtained under violation of German data privacy laws from their proceedings. Continue Reading
The International Institute for Conflict Prevention and Resolution, a New York-based organisation offering Alternative Dispute Resolution (ADR) services, has recently announced the launch of a new specialised panel of neutrals, commissioned to deal with cybersecurity disputes. The Cyber Panel is composed of experts in cyber-related areas such as data breaches and subsequent insurance claims. In a press release, Noah Hanft, President of CPR, described the new panel as guiding the “critical effort” by businesses to “prevent and/or resolve cyber-related disputes in a manner that best protects operations, customers and reputation” due to attacks now occurring with increased frequency and sophistication. Continue Reading
On 7 August 2017, the UK Department for Culture, Media and Sport (DCMS) published its Statement of Intent on a proposed Data Protection Bill, which will replace the current UK Data Protection Act 1998 (DPA).
As a follow-up to our previous reports (December 30, 2016 Alert; February 24, 2017 Alert) regarding the cybersecurity regulations issued by the New York State Department of Financial Services (NYDFS), we would like to remind covered entities that the first of several implementation deadlines is this month, on August 28, 2017. To help you prepare, we are providing here an overview of the August 28, 2017 implementation requirements for covered entities.
In addition to this overview, covered entities may also turn to the NYDFS’ Frequently Asked Questions Regarding 23 NYCRR Part 500 as a helpful resource in preparing for implementation. Continue Reading
The Federal Trade Commission (“FTC”) released an updated guidance document for complying with the Children’s Online Privacy Protection Act (“COPPA”). The revised guidance, released on June 21, 2017, explicitly identifies connected toys and other Internet of Things devices as being covered under COPPA and adds clarity to web operators’ responsibility for the activities of third parties, such as ad networks and plug-ins, that collect personal information protected under COPPA. It also includes recently approved methods for obtaining verifiable parental consent. Continue Reading
On August 1, a bipartisan group of four senators introduced a bill that would impose specific cybersecurity requirements on providers of Internet of Things (IoT) devices when doing business with the U.S. Government and provide liability protections for security researchers who disclose vulnerabilities affecting these devices. Though the bill’s security requirements would apply only in cases where entities are acting as contractors to the U.S. Government, if enacted, it likely would be influential on IoT vendors operating in the consumer context as well. The bill is largely consistent with an ongoing multistakeholder effort led by the National Telecommunications and Information Administration (NTIA) aimed at developing voluntary security standards for Internet-connected devices.
How do you ensure that an Internet-connected sensor or device—often inexpensive and designed for lifespans of up to 20 years or more—can be secured against not only the intrusions of today but also those of the future? This question has taken on new urgency as low-cost Internet-connected devices are increasingly being co-opted into massive networks, known as “botnets,” that are capable of causing widespread disruption.
Both government regulators and industry have been working together to solve this and related questions by developing best practices for mitigating security risks from unpatched or unsupported devices. As we discussed in January, the National Telecommunications and Information Administration (NTIA), an independent agency within the Department of Commerce, is leading a multi-stakeholder process to consider opportunities and challenges associated with the Internet of Things (IoT). Since then, a working group convened by the NTIA has published a draft set of industry best practices for communicating to consumers when patches are available and when device manufacturers support sunsets. The Federal Trade Commission (FTC), consumer representatives and industry have submitted comments discussing these issues. Continue Reading
Earlier this year, the National Association of Corporate Directors (NACD) released an updated version of its Director’s Handbook on Cyber-Risk Oversight (Handbook). The updates add 16 pages of content to the previously 28-page document, including four additional appendices. While the use of and compliance with the Handbook is not mandatory, the Handbook is influential in shaping governance practices and thus it is prudent for those involved in corporate governance to familiarize themselves with the changes. Continue Reading